On Mon, 25 Oct 1999, Bastiaan Bakker wrote:
> Mihai Ibanescu wrote:
>
> > Hello
> >
> > Another question. How to generate the nonce and cnonce. The draft
> > says they are implementation dependent, but should have at least 64 bits
> > of entropy. As far as I know as a security issue, the {c,}nonce should be
> > unpredictable. So, I am thinking to compute them as a MD5 hash of a struct
> > timeval returned by gettimeofday. AFAIK, gettimeofday is quite portable
> > (not POSIX, but SVR4 and BSD 4.3 support it), and it's impossible to
> > estimate the exact moment (and when I say exact I mean exact by 1e-6
> > seconds!) when the challenge/response occur. And hashing it should give me
>
> The attacker may not know the exact moment, but probably he can guess the
> value within a range of one second. That range contains about 2^20 values,
> giving an entropy of 20 bits. (Actually less, because the distribution is not
> even).
>
> >
> > the needed entropy.
>
> Hashing does not add any entropy at all! Allthough the hash result seems
> unpredictable, it is not. The number of possible results is identical to the
> number of possible inputs, so you end up with the same 20 bits of entropy.
> > Anyone has a comment on that?
> >
>
> To be blunt: using gettimeofday to get SECURE random numbers is a really
> BAD idea! Most operating systems have much better ways to get random numbers
> (for example /dev/random). These specifically have been developed with
> security in mind, so use them!
Yeah, but I am thinking in terms of portability. Is reading from
/dev/random portable enough? AFAIK, linux supports it, but Solaris does
not.
Maybe I shouldn't think of portability now, and just use
/dev/random.
Thanks.
Misa